I've set up the SalesForce Add-on and all seemed to be working. The plug-in went back over 30 days and started parsing files fine. Once it got to 1/30, they started failing.
When I investigated the _internal log for errors, I saw many 404 errors when pulling the logfile from SalesForce.
I pulled the 52 URLs from the _internal log pointing at the SalesForce logfiles and tried to pull them manually. I still received a 404. I then went to the SalesForce developer workbench and used SOQL to pull a list of all of our SalesForce event log files. I then cross-referenced what I found in the _internal log and noticed that none of the files exist.
So Splunk is trying to pull files from SalesForce that doesn't exist.
Any help here? Anyone experienced this before?
All my SF objects are being ingested properly. It's just the SalesForce Event Logfiles. So I have no new events from 1/31 and onward from the event log files.
Why is Splunk trying to pull non-existent files?
... View more
I followed this documentation on setting this up: https://aws.amazon.com/blogs/mt/ingest-aws-config-data-into-splunk-with-ease/
We are on Splunk Enterprise 7.1.3.
Sometimes our data is parsed properly, but I've noticed that on many occasions multiple events get forwarded to HEC and HEC can't properly parse them. These multiple events end up as just raw input in splunk when I need splunk to intelligently parse this info.
I have setup a lambda function on my kinesis stream so I can manually parse this, I'm also considering splitting the records up and making sure only one record gets forwarded to Splunk at a time and then I'll throw the extra messages back into the kinesis stream but that feels like a really bad hack. Not sure what I can do to fix this, has anyone else had this issue and have a solution?
... View more